In the race to build “agentic” AI—tools that can act on your behalf across digital environments—transparency is often the first casualty. A technical audit published on April 18, 2026, by privacy researcher Alexander Hanff has exposed an undocumented behavior in Anthropic’s Claude Desktop application for macOS that has the cybersecurity community on high alert.
The report reveals that Claude Desktop silently installs a Native Messaging bridge into the configuration directories of multiple Chromium-based browsers without user notification or consent. By bypassing standard “opt-in” flows, this integration creates a persistent, out-of-sandbox communication channel that could potentially be exploited for unauthorized data access or local code execution.+1
Technical Breakdown: How the Claude Bridge Operates
The core of this discovery is a configuration file named com.anthropic.claude_browser_extension.json.
[Image: Native Messaging Architecture showing the bridge between the Browser Sandbox and Host OS]
1. The Multi-Browser “Shotgun” Approach
Claude Desktop doesn’t just target your default browser. It automatically writes this manifest file into the application support folders of up to seven Chromium-based browsers, including:
- Google Chrome & Microsoft Edge
- Brave & Arc
- Vivaldi, Opera, & Chromium
The Red Flag: The application installs these files even for browsers that are not currently installed on the system. This ensures that the moment a user downloads a new browser, the “backdoor” is already waiting for them.
2. Persistent Regeneration
Standard manual cleanup is ineffective. Claude Desktop is designed to rewrite these manifest files every time the application launches. Unless the user completely uninstalls Claude Desktop, the bridge remains persistent.+1
3. Out-of-Sandbox Execution
A Native Messaging bridge allows a browser extension to talk to a local executable—in this case, a binary called chrome-native-host within the Claude app bundle.
- Privilege Level: The bridge runs with the same privileges as the logged-in user.
- Sandbox Bypass: Because the host binary runs outside the browser’s sandbox, it is not restricted by the security layers that usually prevent web code from touching your local files.
Security Risks: From Prompt Injection to System Access
While the bridge is intended to facilitate features like “Claude Cowork,” its existence significantly expands a system’s attack surface.
The 11.2% Success Rate: Prompt Injection
Anthropic’s own safety data highlights a critical vulnerability. The Claude for Chrome extension is susceptible to prompt injection attacks, with a reported 11.2% success rate even with current mitigations.+1
The Pivot Path: A successful prompt injection against the extension could theoretically use this pre-installed bridge to execute commands on the host machine, bypassing the browser’s security entirely.
Supply Chain and Hijacking Risks
The manifest pre-authorizes three specific Chrome extension IDs. If any of these IDs were compromised—through a malicious Web Store update, an account takeover, or a compromised build pipeline—an attacker would gain immediate, unauthorized access to the user’s host system via the bridge.
Privacy Implications: Access to the “Digital Self”
The capabilities enabled by this bridge are broad and deeply intrusive. According to Anthropic‘s documentation, the integration supports:
- Authenticated Session Access: Sharing login states, allowing the AI to act as the user on any signed-in site (banking, enterprise tools, etc.).
- DOM Reading: Accessing the full Document Object Model, which includes decrypted private messages and form data mid-type.
- Background Automation: Automating form submissions and, in some cases, background screen recording.
Compliance and Legal Concerns: The “Dark Pattern”
Alexander Hanff and other privacy advocates argue that this silent installation constitutes a “dark pattern”—a user interface designed to trick or subvert user choice.
EU ePrivacy Directive Violation?
The report suggests that the silent storage of information on a user’s device without explicit consent may violate Article 5(3) of the EU ePrivacy Directive. Regulators typically expect:
- Explicit Opt-in: Users must choose to enable cross-application integrations.
- Transparency: Clear disclosure of what files are being written and why.
- Revocation: A simple way to permanently disable the feature.
Actionable Steps for IT Managers and CISOs
If your organization uses Claude Desktop on macOS, a “Zero Trust” approach to AI agents is necessary.
- Audit Endpoints: Use MDM tools to search for
com.anthropic.claude_browser_extension.jsonin~/Library/Application Support/subdirectories. - Restrict Native Messaging: Use Chrome Enterprise Policies to whitelist only specific, verified Native Messaging hosts, effectively blocking the Claude bridge.
- Enforce Browser-Level Controls: Prevent the installation of the Claude for Chrome extension via group policy until a full risk assessment is complete.
- Monitor for Persistence: Look for repeated file-write events to browser directories originating from the Claude Desktop binary.
FAQs
Q: Does this affect Windows users? A: While the Hanff report focused on macOS, research suggests similar behavior occurs on Windows via registry keys (HKCU\Software\Google\Chrome\NativeMessagingHosts\).
Q: Is Claude Desktop “spyware”? A: While Hanff used the term to highlight the lack of consent, the industry consensus is that it is a high-risk undocumented integration. It is not necessarily “malicious” by intent, but it is “malicious” in its disregard for security boundaries.
Q: How do I remove the bridge? A: Deleting the files is temporary as Claude rewrites them. To permanently remove it, you must uninstall Claude Desktop or use OS-level permissions to make the target folders “Read-Only.”
Conclusion: Transparency Cannot Be Optional
The evolution of AI agents requires deep system integration, but that integration must be built on a foundation of trust. By silently modifying other vendors’ software directories and pre-authorizing system access, Anthropic has prioritized “frictionless” UX over fundamental security principles.+1
Is the productivity gain worth the security trade-off? Until Anthropic moves to an explicit opt-in model, organizations must treat Claude Desktop as a persistent expansion of their attack surface.
